Classification of information
V1.1
Effective Date: 2016; February, the 17 th
Document's target audience:
This document, as an annex of the BOOSTAEROSPACE Security policy is intended to all BOOSTAEROSPACE HUB users or candidate to join the BOOSTAEROSPACE HUB that will manipulate data from and / or to the HUB.
This includes BOOSTAEROSPACE hub services end users, infrastructures administrators and guest users.
Each time a data have to be manipulated inside or outside of the BoostAeroSpace HUB the rules written in this document must be
applied.
Index:
page:
1. CLASSIFICATION OF INFORMATION
4
2. HANDLING AND LABELLING OF INFORMATION
6
3. BAS USERS OBLIGATIONS AGAINSTS CLASSIFIED DOCUMENT
9
Author:
Effective date:
BoostAeroSpace Security Management Authority
17/02/2016
DISTRIBUTION: BoostAeroSpace PUBLIC
STATUS: FINAL
Copyright © 2016, BoostAeroSpace SAS.
All Rights reserved, proprietary document.
Page 1 of 11
BOOSTAEROSPACE
17/02/16
Version 1.1
CLASSIFICATION OF INFORMATION
Signature Page
Validation has been made during BoostAeroSpace SMA Meeting of the 16/02/2016 by:
Airbus Group SMA representative: Gilbert BOURRY
AIRBUS SMA representative : Gil MULIN
Dassault Aviation SMA representative: Christophe FLOCH
Safran SMA representative: Frédéric GOURJAUT
Thales SMA representative: Bernard DENIS
________________________________
___16/02/2016__
Boost Aerospace Security Management Authority
Date
DISTRIBUTION: BoostAeroSpace PUBLIC
STATUS: FINAL
Copyright © 2016, BoostAeroSpace SAS.
All Rights reserved, proprietary document.
Page 2 of 11
BOOSTAEROSPACE
17/02/16
CLASSIFICATION OF INFORMATION
Version 1.1
EXECUTIVE SUMMARY
Introduction:
The necessity of correct maintenance and use of collaborative corporate information, to fulfill the aims of
the BoostAeroSpace partners, implies a protection of this information to avoid loss, destruction, modification or its unauthorized distribution.
To ensure that information receives an appropriate level of protection, Information should be classified
to indicate the need, priorities, and expected degree of protection when handling the information.
Main rule:
All data that are hosted on the BoostAeroSpace (BAS) HUB are by default classified “BoostAeroSpace
Industry Confidential” meaning that users shall in all case labels this information with this classification.
Classification to a lower level of classification can also be performed for associated specific disclosure needs
to BoostAeroSpace Reserved or BoostAeroSpace Public. The following table shows the classification
rule to be applied:
Classification name
BoostAeroSpace
Industry Confidential
BoostAeroSpace
Reserved
BoostAeroSpace
Public
Rules for classification
Default rule applied to any
data stored on the BAS collaboration platform.
Data downgraded from BAS
industry confidential level that
must not be disclosed to
everyone.
Data downgraded from BAS
reserved, that can be publicly
disclosed.
Disclosure
Only users having the authorization to use one or all
BoostAeroSpace service(s) associated with this classification (AirCollab, AirDesign, and AirSupply).
Any BoostAeroSpace user that can be identified by
a BoostAeroSpace user having access to
BoostAeroSpace services.
Everyone
BoostAeroSpace (BAS) classification of information versus others classification:
BAS security is managed by the BAS Security Management Authority (SMA), composed of BAS founding partner’s company’s security representatives
who are responsible to provide their Internal & their
external company classification in regards of BAS
classification definition written in this document. The
following diagram intend to illustrate the level of the
BAS default classifications compared with the “usual”
classifications allowing users to not store “overclassified” information inside the BAS collaborative
platform.
In order to protect BAS classified data the BAS SMA
have validated BAS services that have the sufficient
security measures to guarantee the security of
BoostAeroSpace Industry Confidential, Reserved
and public classifications.
In order to allow BAS users to initiate collaboration more
easily with a level of data protection sufficient to protect
BoostAeroSpace Reserved classified data, the AirCollab service with login / password authentication is the
unique BAS service where default “BoostAeroSpace
Industry Confidential” data protection rules are not required.
DISTRIBUTION: BoostAeroSpace PUBLIC
STATUS: FINAL
Copyright © 2016, BoostAeroSpace SAS.
All Rights reserved, proprietary document.
Page 3 of 11
BOOSTAEROSPACE
17/02/16
CLASSIFICATION OF INFORMATION
Version 1.1
1. CLASSIFICATION OF INFORMATION
1.1. PURPOSE
The purpose of this policy is to define and describe the BoostAeroSpace security classification and
labeling scheme and how it must be applied.
1.2. INTRODUCTION
The BoostAeroSpace’s partner’s information is a valuable asset that must be protected. Clearly
though not all information requires the same level of protection. Resources are limited and must
therefore be used in an intelligent and focused way to ensure that information is afforded only the
minimum protection commensurate with its value. This policy describes the BoostAeroSpace’s
system of classification and labeling and provides examples of information types from key
BoostAeroSpace functional areas.
1.3. CLASSIFICATION DEFINITIONS
There is only three (3) classifications for BoostAeroSpace collaboration platform data:
“BoostAeroSpace Industry Confidential”, “BoostAeroSpace Reserved” and “BoostAeroSpace
Public”.
The definition of each of those three (3) classifications are the only definition to be used by any
BoostAeroSpace user with regards of user company internal data classification definition that can
complement or replace it.
BoostAeroSpace INDUSTRY CONFIDENTIAL:
Any information related to normal BoostAeroSpace partner business activities and process, which
is not for official public disclosure and is not deemed to be sensitive. The compromise of such information is not expected to adversely impact the Company of the partner, its employees, its suppliers, its business partners, and/or its customers.
BoostAeroSpace RESERVED:
Any information not classified BoostAeroSpace INDUSTRY CONFIDENTIAL that needs to be protected against unauthorized access, for which the compromise will not impact negatively the Company of the partner.
BoostAeroSpace PUBLIC:
Any information that can be publicly disclosed out of the BoostAeroSpace trust circle.
The BoostAeroSpace SAS Company defined an additional classification: “BOOSTAEROSPACE
COMPANY CONFIDENTIAL”. This classification level is not associated with the BoostAeroSpace
collaboration platform. This represent any Company information which if disclosed without permission can cause serious damage to the business: e.g. loss of public image, non-compliance with
non-disclosure agreements, statutory requirement, security of the BoostAeroSpace services (Internal infrastructure details like IP addresses, components details and versions etc.).
It includes information not yet publicly disclosed and internal business information, such as contract documentation, business processes, corporate strategies, and assumptions and results of
business plans.
1.4. ADDITIONAL CLASSIFICATION CAVEAT
Where necessary, an additional security caveat can be added to the security classification label to
further restrict the dissemination of information i.e. limiting distribution/access to specific departments, functions, programs, nationalities or suppliers/types of suppliers.
DISTRIBUTION: BoostAeroSpace PUBLIC
STATUS: FINAL
Copyright © 2016, BoostAeroSpace SAS.
All Rights reserved, proprietary document.
Page 4 of 11
BOOSTAEROSPACE
17/02/16
Version 1.1
CLASSIFICATION OF INFORMATION
The caveat should be written to represent the disclosure rule allowed in front of the classification
label when necessary to precise it for a more restricted population than the one listed in Executive
summary chapter.
Examples of security caveats:
BoostAeroSpace INDUSTRY CONFIDENTIAL – PERSONAL INFORMATION
BoostAeroSpace INDUSTRY CONFIDENTIAL – EXECUTIVE COMMITTEE
BoostAeroSpace INDUSTRY CONFIDENTIAL – SMA
BoostAeroSpace Reserved – Company shareholders
1.5. COPYRIGHT
Any BoostAeroSpace company document which is distributed outside of BoostAeroSpace trust
circle must be copyright protected using "BoostAeroSpace S.A.S All rights reserved, proprietary
document” markup.
In all cases, any existing copyrights markups must not be modified.
Further information can be sought from the Legal department of each BoostAeroSpace partner.
1.6. NEED TO KNOW
Limiting the distribution of sensitive Information to only those people who strictly ‘need-to-know’
greatly reduces the possibility that this information inadvertently finds its way outside BoostAeroSpace Hub. Information distribution must be limited to only those who strictly need that information
to support their particular business activity. Persons must not be given access to this information
simply because of their management level within the company or, for example, because they have
a high level government security clearance.
1.7. MAPPING AGAINST EXISTING PARTNERS ENTITY CLASSIFICATION
SCHEMES
All data within the Collaborative Platform are by default classified as “BoostAeroSpace Industry
Confidential”. The secure handling of all data with this classification within the Collaborative Platform is assured by BoostAeroSpace Services (AirCollab+, AirDesign, AirSupply), except AirCollab
which is not approved for the exchange of classified data except “BoostAeroSpace Reserved” or
“BoostAeroSpace Public” without additional security protection of the data.
The Collaborative Platform is not by default1 approved to handle the exchange of data having any
national or international governmental classifications. The Subscriber of the BoostAeroSpace collaborative platform services is responsible to map the BoostAeroSpace classifications against an
appropriate internal company classification. Furthermore, the subscriber must make sure the users
of the Collaborative Platform under his responsibility are aware of the corresponding handling and
labeling rules.
Where existing Company Classification schemes exist, this classification can continue to be used
provided that they map closely to the Classification Scheme provided by this Policy,
i.e. BOOSTAEROSPACE INDUSTRY CONFIDENTIAL. Also, for partner internal document circulation the 2 classification associated labels can be kept, or security caveat can be applied to the
BoostAeroSpace classification (e.g BoostAeroSpace INDUSTRY CONFIDENTIAL – AIRBUS INTERNAL).
The platform offers the “by default” protection to allow storage and exchange of data as validated by the
security management authority of boostaerospace composed of aerospace and defense companies and
cannot be therefore be responsible for the protection of any national classified data. It is up to the user to
apply government classification associated data protection rules prior to any storage or exchange of this data
on the BoostAeroSpace collaborative platform.
1
DISTRIBUTION: BoostAeroSpace PUBLIC
STATUS: FINAL
Copyright © 2016, BoostAeroSpace SAS.
All Rights reserved, proprietary document.
Page 5 of 11
BOOSTAEROSPACE
17/02/16
Version 1.1
CLASSIFICATION OF INFORMATION
1.8. GOVERNMENT CLASSIFICATION SCHEMES
Government classified material has to be treated in accordance with the national rules of the countries that BOOSTAEROSPACE operates in. Users must comply with this policy; failure to do so
may result in disciplinary action being taken, including dismissal and possible criminal prosecution
for serious or re-occurring cases. BoostAeroSpace Security management authority is responsible
for ensuring that this policy is implemented within the area of responsibility of each SMA partner’s
security representative. Advice on dealing with such material must be sought from their local Security Officer. The BOOSTAEROSPACE classification scheme must not be confused with the classification schemes used by national governments and their departments (e.g., Defense ministries)
even though in many cases the same words are used. Users must be careful when sending information to government departments to ensure that they do not create confusion, e.g. a document
must be labeled as “BoostAeroSpace INDUSTRY CONFIDENTIAL” rather than just “INDUSTRY
CONFIDENTIAL”.
1.9. PROTECTION OF PERSONAL DATA
BOOSTAEROSPACE will protect its user’s personal data to the extent required by the laws of the
Countries in which it operates. The legal framework for data protection within the European Union
is comprised of European Directives, which have been transposed into several national laws that
apply in each Member State.
2. HANDLING AND LABELLING OF INFORMATION
This section defines the general rules for the handling of BOOSTAEROSPACE information.
3.1. GENERAL HANDLING RULES DETAILS VERSUS CLASSIFICATION MARK
The Security Management Authority of the collaborative platform has defined a set of handling and
labeling rules that shall be applied by any user of the collaborative platform as default handling and
labeling rules of BoostAeroSpace collaborative platform data.
As explained in the chapter §1.7, “Mapping against existing Partners Entity Classification
Schemes”, the user shall apply his company’s handling and marking rules prior to the rules defined
bellow when his company’s security officer or equivalent defined such rules.
The rules bellow follows the “must”, “should”, “may” rules as defined in RFC2119 with capital “(M)”
for “Must”, “(S)” for “Should, and “(Y)” for “maY” before each rule’s details.
BoostAeroSpace
Handling and Labeling rules
classification
Distribution, copying: (M) To the BOOSTAEROSPACE users who need it
to perform their day-to-day work, on a need-to-know basis only + NDA for
non-BAS users.
Marking of media: (M) label it in all cases, inside or outside BAS accordingly to this policy
Paper Distribution: (S) enclosed in a secured envelop
BOOSTAEROSPACE
Email, files Internal: (S) company means & encrypted
INDUSTRY
Email, files over Internet: (M) company means & encrypted
CONFIDENTIAL
Faxing: (S) avoid
Distribution: (M) to distribution list defined by owner
Printing: (M) Using professional materials, local printer or (S) shared printer
with PIN code for recovery
Physical paper-storage without direct survey: (M) Access controlled
area, (M) cupboard + locked office
DISTRIBUTION: BoostAeroSpace PUBLIC
STATUS: FINAL
Copyright © 2016, BoostAeroSpace SAS.
All Rights reserved, proprietary document.
Page 6 of 11
BOOSTAEROSPACE
17/02/16
CLASSIFICATION OF INFORMATION
Version 1.1
Destruction: (M) shred, using Crossed Cutting Shredder (DINS3) for paper
Distribution, copying: (M) To the people who need it to perform their dayto-day work, on a need-to-know basis only
Marking of media: (S) label it in all cases, inside or outside BAS accordingly to this policy
Paper Distribution: (M) enclosed in closed letter
BOOSTAEROSPACE
Email, files Internal: (Y) company means & encrypted
RESERVED
Email, files over Internet: (Y) company means & encrypted
Faxing, printing: (M) Avoid public means
Physical paper-storage without direct survey: (M) Access controlled
area, (Y) locked office
Destruction: (M) Manually shredded, recycle bin
Distribution, copying: No restriction
Marking of media: (M) label it accordingly to this policy to avoid it to be
BOOSTAEROSPACE
reclassified BOOSTAEROSPACE Industry confidential.
PUBLIC
Emails, files: unprotected, no encryption required,
Faxing, printing, physical paper-storage, destruction: no restriction
BoostAeroSpace SAS Company Internal Classification:
Distribution, copying: (M) Need-to-know basis only + NDA for non-BAS
users.
Marking of media: (M) label it in all cases, inside or outside BAS Services,
accordingly to this policy.
Paper Distribution: (M) enclosed in a secured envelop
Email, files Internal: (M) Encrypted
BOOSTAEROSPACE Email, files over Internet: (M) Encrypted
COMPANY
Faxing: (M) Forbidden
CONFIDENTIAL
Distribution: (M) to distribution list defined by owner, not to forward without
owner agreement.
Printing: (M) Using professional materials, local printer or (S) shared printer
with PIN code for recovery
Physical paper-storage without direct survey: (M) Locked Safe, always
in hands during transit
Destruction: (M) shred, using Crossed Cutting Shredder (DINS3) for paper
2.1. MARKING HARD-COPY DOCUMENTS
Whenever feasible, all hard copy documents must have a clearly visible security classification label
centrally positioned at the bottom of each page.
2.2. MARKING ELECTRONIC DOCUMENTS
A document’s classification must appear in the header (top or bottom) of every document pages.
The first line of the body of an email must also indicate the classification of the email text or the
attached document. (e.g: “text and attachments of this email are classified BoostAeroSpace Confidential Industry”).
3.2. CLASSIFICATION OF DOCUMENTS
The responsibility for classifying BAS information or material lies with the originator or creator
(e.g. the person who has written the document).
DISTRIBUTION: BoostAeroSpace PUBLIC
STATUS: FINAL
Copyright © 2016, BoostAeroSpace SAS.
All Rights reserved, proprietary document.
Page 7 of 11
BOOSTAEROSPACE
17/02/16
CLASSIFICATION OF INFORMATION
Version 1.1
3.3. RECORDING
The protection of BOOSTAEROSPACE industry confidential information must be carefully controlled. All BoostAeroSpace industry confidential information in physical format e.g. printed documents, presentations, backup media used in BAS infrastructures, and mobile usb disk used to
store BAS data, cd-roms and any electronic media shall be labeled by the owner “BoostAeroSpace
Confidential Industry”.
3.4. GOOD PRACTICES FOR THE TRANSFER OF BAS CLASSIFIED MATERIAL
BAS information can be transmitted by physical means (e.g. sending a paper document or a CDROM through the mail system) or electronic means (e.g. transferring a document by email) or using the BAS HUB Services (e.g upload of document in AirCollab).
In all cases, those security measures are to be applied in addition of classification labeling rules:
 In case of paper based transmission: request a specific acknowledge of the receiver, using
postal means or parallel mean (e.g: email exchange to inform good reception of documents);
 In case of electronic transmission by email internally in a partner network: freely transferable in clear email, with verification that no company-external email adress been added to
recipients list prior to transfer.
 In case of electronic transmission by email over Internet: prefer the sending of BAS AirCollab electronic reference to documents instead of directly adding the document in clear in
email. If your recipient cannot get this document using BAS AirCollab services always use
cryptographic email service when available.
DISTRIBUTION: BoostAeroSpace PUBLIC
STATUS: FINAL
Copyright © 2016, BoostAeroSpace SAS.
All Rights reserved, proprietary document.
Page 8 of 11
BOOSTAEROSPACE
17/02/16
CLASSIFICATION OF INFORMATION
Version 1.1
3.5. CONSEQUENCES OF AGGREGATION
Users are to be aware of the effect of aggregation which is where large quantities of non-sensitive
information may become sensitive, e.g. data backups. Therefore, by aggregating BOOSTAEROSPACE industry confidential data users may have to apply higher internal classification guidelines
to information. (e.g: encryption of backup data).
3.6. DOWNGRADING
It is the owner’s responsibility to periodically review and downgrade by reclassifying, if appropriate,
BOOSTAEROSPACE Industry confidential information. In such case information must be labeled
“BOOSTAEROSPACE RESERVED” or “BOOSTAEROSPACE PUBLIC” to indicate that the data
do not have to be protected anymore with the initial BAS collaborative platform security measures.
E.g: downgrading of a document to allow its publication on Open AirCollab BAS service or Internet.
3. BAS USERS OBLIGATIONS AGAINSTS CLASSIFIED DOCUMENT
In order to enforce the BAS Security Policy against the classification of BAS information a set of
golden rules shall be observed by the end user:
 MAKE SURE that all outgoing information to partners, suppliers, Airworthiness Authorities,
etc. is clearly marked with "BoostAeroSpace S.A.S All rights reserved, proprietary document",
 Check materials to be presented to a broad audience (e.g. Customer Focus Group, Airworthiness Authorities) for confidentiality related matters,
 Only send relevant information to third parties (extract versus whole document),
 Send documentation only to key persons involved in a project,
 Never forward internal messages to third parties but create new message and replace non
needed information with “[…]”.
 respect applicable program-related classification schemes coming from customers or authorities to which his company, using BAS has an obligation to abide (e.g. USA FOUO),
 in case of any doubt, contact the relevant person who is responsible for confidentiality matters in his company, program, project,
 Continually being aware of their behavior towards sensitive information and potential impacts in case of misuse.
DISTRIBUTION: BoostAeroSpace PUBLIC
STATUS: FINAL
Copyright © 2016, BoostAeroSpace SAS.
All Rights reserved, proprietary document.
Page 9 of 11
BOOSTAEROSPACE
17/02/16
Version 1.1
CLASSIFICATION OF INFORMATION
ANNEX C BoostAeroSpace classification logos to be applied to
documents
Text to include in document Header or Footer:
- In red, when possible: BoostAeroSpace INDUSTRY CONFIDENTIAL
- In blue (R49,G91,B157), when possible: BoostAeroSpace RESERVED
- In black, otherwise: BoostAeroSpace PUBLIC
- In red, when possible: BoostAeroSpace COMPANY CONFIDENTIAL
Color logos:
Gray logos:
.
DISTRIBUTION: BoostAeroSpace PUBLIC
STATUS: FINAL
Copyright © 2016, BoostAeroSpace SAS.
All Rights reserved, proprietary document.
Page 10 of 11
BOOSTAEROSPACE
17/02/16
CLASSIFICATION OF INFORMATION
DISTRIBUTION: BoostAeroSpace PUBLIC
STATUS: FINAL
Copyright © 2016, BoostAeroSpace SAS.
All Rights reserved, proprietary document.
Version 1.1
Page 11 of 11